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Abstract 

We formalise and mechanise a construtive, proof theoretic proof 
of Craig's Interpolation Theorem in Isabelle/HOL. We give all the 
definitions and lemma statements both formally and informally. We 
also transcribe informally the formal proofs. We detail the main 
features of our mechanisation, such as the formalisation of binding 
for first order formulae. We also give some applications of Craig's 
Interpolation Theorem. 

1. Introduction 

Craig's Interpolation Theorem is one of the main results in ele- 
mentary proof theory. It is a result about FOL. Its proof is similar 
in style to the more famous Cut elimination theorem of Gentzen 
| Sza69 ]. In fact, the two results are intimately connected, and both 
are part of a general concern with "purity of methods" | Gir87 1. 

As with Cut elimination, Craig's Interpolation Theorem has 
many applications, particularly to the formalisation and mechani- 
sation of mathematics, to the making of definitions, to the stating 
of lemmas, and to the general structuring of formalisations. It is 
primarily a result about modularity at the level of definitions and 
lemmas. 

This work describes the first mechanised proof of Craig's In- 
terpolation Theorem. Why mechanise Craig's Interpolation Theo- 
rem? Correctness is one of the main considerations. Particularly, 
we would like our proofs to be correctly formed (a purely syntac- 
tic condition), even if we must use our own faculties to ensure the 
correctness of definitions (that they conform to our informal no- 
tions). Results in proof theory are particularly appropriate for for- 
malisation because they often involve substantial syntactic weight, 
which can cause typographical and real errors to creep into non- 
mechanised presentations. 

A formal presentation also clarifies details, which in turn has 
pedagogic advantages. For example, the notion of variable binding 
and alpha conversion, which are often viewed as tricky to establish 
formally, are present in two places when formalising FOL. They 
are present when considering variable binding Vx, 3x in formulae. 
They are also present in proof terms with the notion of an eigenvari- 
able. Much of the motivation behind the recent POPLmark chal- 
lenge | ABF + 05 | is to assess the current state of theorem provers 
with regard to the mechanisation of proofs about logical systems, 
particularly with respect to their handling of binding. There is 
clearly a lot of interest in this area, and we believe our work con- 
tains contributions. 

The proof of Craig's Interpolation Theorem we mechanise here 
is constructive, which means that the proof contains an algorithm. 
For a given proof this algorithm constructs interpolation formulas. 
Thus, the proof of the theorem is simultaneously the verification of 
an algorithm. We believe this algorithm would be extremely hard 
to get right without mechanical assistance, for exactly the same 



reasons that it is hard to construct a correct informal proof: the 
details overwhelm. 

In this paper, we describe the result itself, and its mechani- 
sation in the Isabelle/HOL theorem prover. The mechanisation is 
presented in its entirety, save that some tactic proof scripts have 
been omitted. The paper should be readable with no Isabelle/HOL 
knowledge. By omitting the Isabelle/HOL material, a standard in- 
formal mathematical presentation is obtained. The full proof scripts 
can be obtained from the author's homepage 1 . 

The mechanisation has several interesting features which we 
discuss after the presentation of the main result. 

We briefly outline the following sections. In Sect.|2|we describe 
the formal syntax of Isabelle/HOL. In Sect. [5] we describe terms, 
and in Sect, [4] we describe formulae. In Sect. [5] we describe the 
system of FOL for which we prove Craig's Interpolation Theorem. 
In Sect. [6] we motivate the statement of (a strong form of) Craig's 
Interpolation Theorem, and in Sect.0we prove the theorem by in- 
duction over derivations. Throughout we give both an informal pre- 
sentation, and the formal version for comparison. Our development 
is axiomatic. To ensure that the axioms are satisfiable, we also pro- 
vide in Sect.|8|a concrete development which is conservative over 
the base Isabelle/HOL logic . In Sect.|9|we briefly analyse the mech- 
anisation, and then in Sect. ^| we discuss applications of the the- 
orem and its mechanisation. Finally, we conclude with a statement 
of the main contributions of this work, an examination of related 
work, and possibilities to extend this work in the future. 

2. Isabelle/HOL Notation 

In the follo wing sec tions, formal results are stated in the Is- 
abelle/HOL |PNW03 1 dialect of the HOL logic. 

New types are introduced with the keyword typedecl. New 
names for existing types (type aliases) are introduced with the 
keyword types. Type constructors are functions mapping type lists 
to types. Application of a type constructor is typically written 
postfix. For example, the type of sets over an underlying type 'a is 
'a set. The type of a function with domain 'a and codomain 'b is 'a 

'b. =>■ is an infix type constructor, which associates to the right. 
Lambda abstraction Ax is written A x. The type of pairs whose first 
component is of type 'a and whose second component is of type 
'b is 'a x 'b. The pair of x and y is written (x, y). The type of 
lists whose elements are of type 'a is 'a list. Finite lists are written 
[fl,fe,c]. Consing an element x onto the front of the list xs is written 
x^xs. 

A particularly important type is nat, the type of the natural num- 
bers. Non-recursive natural number elimination, or case analysis, is 
written case nofO^aV Sue n' => fn'. 



1 http://www.cl.cam.ac.uk/~tjr22/ 
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New constants are introduced with the keyword consts. A new 
constant is introduced by giving its name followed by :: followed 
by its type. Definitions are introduced with the keyword defs. A 
definition is written using the metaequality = rather than simple 
HOL equality. These two keywords are combined into the single 
keyword constdefs. 

Axioms are introduced with the keyword axioms. 

Our Isabelle theory files are ASCII text files. The format of these 
files is described in |PNW03|. The usual logical connectives are 
rendered in ASCII as follows. Wx.P x is V x. P x, 3x.P x is 3 x. 
Px,A^ BisA — >B,AABisAAB,A\/BisA\/B. -^A is ~ 
A.A^BisA — B. 

A common language is that of sets. Set notation is as follows. 
a 6 A is a G A. a A is a £ A. The empty set is {}. Set union 
A U B is A U B. Set intersection, An B is A n B. Finite sets are 
written {a,b,c}. A C B is A C B. The collection of the image of a 
function / on a set S is UNION Sf. 

ML-style datatypes are introduced with the keyword datatype, 
followed by the name of the new type, followed by constructors 
with the types of their arguments. The associated initial free struc- 
ture with these constructors is then generated, together with various 
theorems about the structure. Functions can be defined by primitive 
recursion over the datatype. Primitive recursive functions are intro- 
duced with the keyword primrec. 



3. Terms 

Variables are indexed by N. 
types var = nat 

Terms are simply variables, 
types tm = var 

The extension to full first order terms is trivial. However, this 
obscures the development. Moreover, first order terms can be sim- 
ulated using variables and relations. 

4. Formulae, Occurrences 

Primitive formulae P(x, y, z) are predicates P applied to a tuple of 
variables (x, y, z). Predicates P,Q, . . . are in reality identified by 
an index i 6 N, so that primitive predicates are Po, Pi, Arbi- 
trary length tuples (x,y, . . . , z) are represented by lists. Formulae 
A are defined inductively in the usual way from primitive formulae 
using additional constructors _L, T, A, V, -i, V, 3. 

types pred = nat 

typedecl form 

consts 

P :: pred => tm list ^farm 
_L : : form 
T : : form 

A v.form =$-form => form 
V v.form =>form => farm 
^2 '■ '■ form => form 
V_ :: var ^-form => form 
3_ :: var =5>form => form 

Note that Pi(x, y) is different to Pi(x, y, z) but that later defi- 
nitions, such as pos.neg, do not distinguish them. The usual infor- 
mal solution is not to work with two predicates of the same name 
(index) but different arities. Alternatively a predicate could be dis- 
tinguished not only by its index, but also by its arity. 



Informally, we often write quantified formula as Vx.j4[a;], 3a;.A[x], 
and instantiations as A[t],j4.[o], The square brackets in quantified 
formulae Va;.A[a;], 3x.A[x] and instantiations A[t],A[o] have no 
formal meaning but are intended to suggest the presence of oc- 
currences in the body. Sometimes they are intended to capture all 
occurrences in the body of the formula, for instance, when writing 
Vx.j4[x], we are usually talking about all occurrences of x in A. 
Other times they are intended to capture only some occurrences in 
the body of the formulae, for instance, when instantiating Vx.A[x] 
with a term t, we write A[t] to emphasise that the occurrences of 
x have been replaced by t, even though t may occur already in A. 
Generally, [] occurs in a rule that deals with binding. Then if [] sur- 
rounds a bound variable, it matches all occurrences of the variable 
in the term. If [] surrounds a non-(bound variable) it binds some 
occurrences (those where the bound variable previously appears). 

V and 3 bind variables in the body of the formula. We introduce 
auxiliary functions to handle instantiating quantifiers. For example, 
FAUJnst applied to a formula Vx.A[x] and a term t should produce 
the formula A[t\. 

consts 

FAU-inst :: tm =>form =4- form 
FEx-inst :: tm =>farm form 

axioms 

(FAU-inst a (Va C)) = C 
(FEx-inst a (3_ a C)) = C 

The free variables of a formula are defined as usual. 

consts fv ::form => var list 

axioms 

a £ (set ofv) (V a C) 
a g (set ofv) (3_ a C) 

Positive and negative occurrences in a formula are defined. 

consts pos : : farm =^ pred set 

axioms 

pos (P i tms) = {;'} 
pos± = {} 
posT = {} 

pos (AAB) = (pos A) U (pos B) 
pos (VAB) = (pos A) U (pos B) 
pos (zlA) = neg A 
pos (V a A) = pos A 
pos (3_ a A) = pos A 



consts neg : : farm => pred set 

axioms 

neg (P i tms) = {} 
neg± = {} 
negT = {} 

neg (AAB) = (neg A) U (neg B) 
neg (V A B) = (neg A) U (neg B) 
neg (zlA) = pos A 
neg (V_ a A) = neg A 
neg (3_aA) = neg A 



axioms 

pos (FAU-inst t (V_ a A)) = pos (V a A) 
neg (FAU-inst t (V a A)) = neg (V a A) 

pos (FEx-inst t (3_ a A)) = pos (3_ a A) 
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neg (FEx-inst t (3_ a A)) = neg (3_ a A) 

5. Sequents, Logical System 

Sequents T h A are pairs of sets of formulae. 

types seq =form set *form set 

The sets are intended to be finite. We make the restriction 
to finite sets of formulas when we define derivations. We write 
sets of formulae using , to denote (non-disjoint) set union. Thus 

ri,r 2 = riur 2 . 

We employ a standard multiple conclusion sequent calculus, 
see Fig. Q Formulae in the conclusion of a rule are retained in 
the premises. Exchange does not apply because we are working 
with sets of formulae. Similarly contraction. Weakening is actually 
admissible, but we include it as an explicit rule because it makes 
the proofs more elegant. For the weakening rules, it is important to 
recognise that A may appear in V, A. 

The logical system describes the construction of a derivation. A 
derivation is a tree where each node is an instance of a rule. 

datatype deriv = lnit seq 

V ±L seq 

V TR seq 

V AL seq deriv 

V AR seq deriv deriv 

V VL seq deriv deriv 

V VR seq deriv 

V seq deriv 

V ^jl seq deriv 

V VL seq deriv 

V VR seq deriv 

V 3_L seq deriv 

V 3_R seq deriv 

V WL seq deriv 

V WR seq deriv 

The first argument to each derivation constructor indicates the 
root sequent of the derivation formed using the constructor. The 
additional arguments provide auxiliary information necessary to 
determine the rule. For example, in the case of AL, we must give 
the formulas A and B where AAB is the formula we are analysing, 
and we must also provide a subderivation of the premise of the 
rule. The exact requirements are explicitly stated when we define 
is-deriv. 

The root of a derivation is straightforward, 
consts root : : deriv =>■ seq 



primrec 




root (lnit FA) = 


-FA 


root (±L FA) = 


FA 


root (TR FA) = 


■ FA 


root (AL FA d) 


= FA 


root (AR FA dl dr) = FA 


root (VL FA dl dr) = FA 


root (VR FA d) 


= FA 


root (^L FA d) 


= FA 


root FA d) 


= FA 


root (VL TA d) 


= FA 


root (VR FA d) 


= FA 


root (3LFA d) 


= FA 


root (3RFA d) 


= FA 


root (WL FA d) 


= FA 


root (WR FA d) 


= FA 



We use a predicate to pick out wellformed derivations, 
consts is-deriv : : deriv => boot 



primrec 

is-deriv (lnit FA) = (let (F,A) = FA in 
finite F 
A finite A 
A (3 A. A G T 
AAe A)) 

is-deriv (±X TA) = (let (F,A) = FA in 
finite F 
A finite A 

Aier) 

is-deriv (TR FA) = (let (F,A) = FA in 
finite F 
A finite A 
AT 6 A) 

is-deriv (AL FA d) = (let (F,A) = FA in 
finite F 
A finite A 

A (3 AB. AAB 6 F 
A is-deriv d 

Arootd = ({A,B} U r,A))) 

is-deriv (AR FA dl dr) = (let (F,A) = FA in 
finite F 
A finite A 

A (3 A B. AAB 6 A 
A is-deriv dl 

A rootdl = (F,A U {A}) 
A is-deriv dr 

A rootdr = (r,A U {B}))) 

is-deriv (VL TA dl dr) = (let (F.A) = FA in 
finite F 
A finite A 

A(3 AB.VAB eF 
A is-deriv dl 

A rootdl = ({A} U T,A) 
A is-deriv dr 

A rootdr = ({B} U r,A))) 

is-deriv (VR FA d) = (let (F,A) = FA in 
finite F 
A finite A 

A (3 AB. VA fig A 
A is-deriv d 

Arootd= (F,A U {A,B}))) 

is-deriv (^L FA d) = (let (F,A) = FA in 
finite F 
A finite A 

a (3 c. 2 cer 

A is-deriv d 

A rootd= (r,A U {C}))) 



is-deriv (^R FA d) = (let (F,A) = FA in 
finite F 
A finite A 
A (3 CziCeA 
A is-deriv d 

A rootd= ({C} U r,A))) 

is-deriv (VL FAd) = ( 
let (r,A) = TA in 
finite F 
A finite A 

A(3 A at. VaAer 
A is-deriv d 

A rootd= ({FAll-instt(V_aA)} U r,A))) 
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Init 

A,T h- A, A 

±L 

i,ri- A 

A,B,AAB,Yh A 

AL 

AAB,r h- A 

j4,AvB,r I- A BJvSThA 



AvB.r h A 
-.A,r h A, ,4 

-.1 

-iA, r h a 

yl[t],Va;.A[a;],r h A 
Vx.A[x],T h A 

AH,]iJ[4rh a 

3x.4[i],rh A 

r h A 



■VL 



■3L 



A,r h a 



TR 

r h A, t 

rhA,iAB,i n-A,AA5,B 



rh- a,aab 

\- A, Av B, A, 
Yh A,AvB 
A,F\- A,^A 



r i- a, ->A 

Y h A,V:r.A[:r],A[a] 
T h A,Mx.A[x] 

Y h A,3a:.A[a:],A[t] 
T h A,3a;.vl[a;] 

ri- A 



Vi? 



3J? 



ri-A,A 



• AT? 



Vii, 3L: a not free in the conclusion of the rule. 



Figure 1. Rules for a Multiple Conclusion Sequent Calculus 



is-deriv (VJ? rA d) = ( 
let (r,A) = TA m 
/ira'fe T 
A /irate A 

A (3 flA.VaA e A 

A a <£ UNION (r U A) (sei o fv) 

A is-deriv d 

A wotd= (r,A U {A}))) 

«-deriv (3_L rA d) = ( 
to (r,A) = rA in 
/ira'fe T 
A finite A 

A (3 oA.3 aA e r 

A a £ UNION (r U A) (sel o» 

A is-deriv d 

A roo«d = ({A} U r,A))) 

is-deriv (3i? rA d) = ( 
to (r,A) = TA in 
/irate r 
A /irate A 

A(3Aa/. 3 aAeA 
A is-deriv d 

A rootd= (r,A U {FEx-instt (3 aA)}))) 

Wero (WL rA d) = (3 T A A. 
/irate r 
A finite A 
A is-deriv d 
A rootd= (r,A) 
A TA = ({A} U r,A)) 



is-deriv (TO? rA d) : 
/irate r 



(3 T AA. 



A finite A 

A is-deriv d 

A rootd= (r,A) 

a rA = (r,A u {a})) 



6. Statement of Craig's Interpolation Theorem 

Theorem 6.1. ( Craig 's Interpolation Theorem) If 

rh A 

ffeerc ffere exists a formula C such that 

rhC and Ch A 
and moreover such that 

• Any predicate that occurs positively in C occurs positively in Y 
and in A. 

• Any predicate that occurs negatively in C occurs negatively in 
T and in A. 



lemma craig: 
V dT A. 
is-deriv d 
A rootd= (r,A) 

(Tc. 

(3 d/. is-deriv d/ A roo( d/ = (r,{C») 

A (3 dr. is-deriv dr A roof dr = ({C}, A)) 

A (pas C C (UNION Y pos) n (UNION A pos)) 

A (neg C C (UNION Y neg) n (UNION A ra>g))) 
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Craig's interpolation theorem is almost provable directly by 
structural induction over the derivation. For example, consider the 
case where the derivation ends in Ai? 2 . 

ThA,A ThA,B 
AR 

r h A 

We have that A A B 6 A. Using the induction hypothesis twice, 
we obtain a C such that 

ThC" and C'hA,A 
and a C" such that 

ThC" and C"hA,B 
Take C = C" A C". We have 



because, for instance, C" may contain a positive occurrence of 
A (also occurring in V), whereas A may not appear in A, so that 
C may not contain a positive occurrence of A. Thus the direct 
approach to proving Craig's Interpolation Theorem breaks down 
for polarity altering connectives. 

The solution is to prove a stronger theorem. It is clear that the 
problem lies with the polarity altering connectives such as -i. It is 
reasonably easy to motivate a split sequent ri,r 2 h Ai, A2. A 
goal sequent V h A is obtained by taking Ti = r,T2 = {},Ai = 
{}, A2 = A. The additional components of the sequent, T2, Ai 
are used to keep track of the polarity changes occurring in rules 
such as -iL. 

Theorem 6.2. (Strengthened Interpolation Theorem) If 

ri,r 2 h Ai,a 2 

then there exists a formula C such that 



T h C 



r h c 



rhc' c'ac" 



WR 



rhc",c'AC" 



r h c' a c" 



WR 
■ AR 



and 



C'hA,A 
C",C hA,i 



■WL 



C' AC" ,C" ,C' V- A, A 
C A C" \-A,A 



WL 
■ AL 



C" h A, B 
WL 

C',C" h A,B 

C' A C", C' , C" \- A.B 



C A C" h A, B 



WL 
■AL 



■ AR 



C A C" h A 

so that r h C and C h A. Moreover, it is clear that the 
conditions on positive and negative occurrences are satisfied. 

For logical systems which do not include -1, — * connectives, 
the proof of Craig's Interpolation Theorem can be carried out 
straightforwardly. 

However, for systems which include -1, — » the argument breaks 
down. The problem is that these connectives alter the polarity of 
the occurrences. For example, consider the case of -iL, 

r h A, A 



r h a 

We have -^A £ T. The induction hypothesis gives us a C' such 



that 



r h C' and C' h A, A 

and moreover satisfying the conditions on polarity of occur- 
rences. However, one cannot directly obtain a C such that 



ThC and C h A 



2 Traditionally one displays the analysed formula (in this case, A A B) in 
the conclusion of the rule. This is occasionally a useful convention. We do 
not follow this convention here, instead, the requirement that the analysed 
formula appear in the conclusion is captured formally by a side condition 
(in this case, A A B g A). Making the formula explicit leads to clumsy 
present ations of Craig's Interpolation Theorem, cf. Girard's presentation in 
Gir87|. Incidentally, this presentation also witnesses our previous claim 
that informal proofs of Craig's Interpolation Theorem are prone to typos 
and other errors. This should not be understood as a failing on the part of 
Girard: he is one of the few who even attempt to detail the proof. 



Ti h Ai,C 
and moreover such that 



and C, T 2 h A 2 



• Any predicate that occurs positively in C occurs positively 3 in 
Ti, -1A1 and positively in -F2, A2. 

• Any predicate that occurs negatively in C occurs negatively in 
Ti, -1A1 and negatively in -T2, A2. 

lemma craig ' ': 
V dVi r 2 Ai A 2 . 
is-deriv d 

A rootd= (Ti U T 2 ,Ai U A 2 ) 

(Tc. 

(3 dl. is-deriv dl A root dl = (Fi , Ai U {C})) 
A (3 dr. is-deriv dr A root dr = ({C} U r 2 ,A 2 )) 
A (pos C C (UNION Ti pos) U (UNION neg)) 
A(posCC (UNION T 2 neg) U (UNION A 2 pos)) 
A (neg C C (UNION F 1 neg) U (UNION Ai pos)) 
A (neg C C (UNION F 2 pos) U (UNION A 2 neg))) 



The actual induction is a structural induction over the derivation 
of Ti, F 2 h Ai, A 2 . It is easiest to state this as an induction over 
the size of the derivation. 

lemma craig ': 

V n. V d. size d = n > 

(V F x F 2 Aj A 2 . 
is-deriv d 

A root d = (Ti U r 2 ,Ai U A 2 ) 
(3 C. 

(3 dl. is-deriv dl A root dl = (T^Ai U {C})) 
A (3 dr. is-deriv dr A root dr = ({C} U r 2 ,A 2 )) 
A (pos C C (UNION Ti pos) U (UNION Ai neg)) 
A (pos C C (UNION T 2 neg) U (UNION A 2 pos)) 
A (neg C C (UNION Fi neg) U (UNION A! pos)) 
A (neg C C (UNION F 2 pos) U (UNION A 2 neg)))) 



Corollary 6.3. ( Craig 's Interpolation Theorem ) 

Proof. The original formulation of Craig's Interpolation Theorem 
follows immediately from Thm. 16.21 by taking (T, {}, {}, A) = 

(ri,r 2 ,Ai,A 2 ). ' □ 



"positively in Ti , ->Ai" means positively in Ti or negatively in Ai etc. 
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7. Proof of Craig's Interpolation Theorem 

We aim to prov e th e strengthened form of Craig's Interpolation 
Theorem, Thm. 16.21 We induct over the size of the derivation d 
of r*i, r 2 h Ai, A2, so that we can use the induction hypothesis 
for all derivations of smaller size. The body of the proof proceeds 
by a case analysis on the last constructor of the given derivation. 

In the following cases, apart from the lnit case, we do not 
check the conditions regarding positive and negative occurrences 
in the interpolation formula. These conditions are straightforward 
to verify. 

7.1 Case lnit 

We give a formal Isar rendition of the case d ends in rule lnit. There 
are four subcases. We give a full rendition of the first subcase. The 
3 remaining subcases are very similar. We provide the explicit C 
for these cases but suppress the mundane proofs. The full details 
of the remaining subcases can be found in the mechanised theory 
script. 

lemma assumes a: is-deriv d and b: root d = (Ti U V2, Ai U A2) and 

c:d = lnit FA 

shows 3 C. (3 dl. is-deriv dl A root dl = (Ti, Ai U {C})) 
A (3 dr. is-deriv dr A root dr = ({C} U T 2 , A 2 )) 
A (pos C C (UNION Ti pos) U (UNION Ai neg)) 
A(posCC ( UNION T 2 neg) U (UNION A 2 pos)) 
A (neg C C (UNION Ti neg) U (UNION Ai pos)) 
A (neg C C (UNION T 2 pos) U (UNION A 2 neg)) 
(is 3 C. ?P C ) 
proof 

from abc obtain A where (A 6 Ti A A G Ai) V (A G I?i A A G A 2 ) 

v (a g r 2 a a e Ai) v (a g r 2 a a g a 2 ) 

thus ?thesis 
proof (elim disjE) 
assume A G Ti AAgAi 
have ?P± 
proof (intra conjl) 
show (3 dl. is-deriv dl A root dl = (Ti, Ai U {±})) 
proof 

let = lnit (ri ,Ai U {±}) 

show is-deriv ?dl A roof = (Ti, Ai U {i}) by(/orce! .vimp orfd: 

qed 
next 

show (3 dr. is-deriv dr A root dr = ({J_} U T 2 , A 2 )) 
proof 

let?dr = ±L({±}ur 2 ,A 2 ) 

show is-deriv ?dr A roof ?dr = ({J-} U T 2 , A 2 ) by(/brce! ii'mp add: 
Let-def) 
qed 
next 

show pos ± C (UNION Ti pos) U (UNION Ai neg) by(si'mp!) 
show pos ± C (UNION Y 2 neg) U (UNION A 2 pos) by(s;'mp!) 
show neg _L C (UNION Ti neg) U (UNION Ai pos) by(i!mp!) 
show neg ± C (UNION T 2 pos) U (UNION A 2 neg) by(simp!) 
qed 

thus ?thesis .. 
next 

assume AgTi AAgA 2 
have ?PA 
thus ?thesis .. 
next 

assume A G T 2 A A G Ai 
have ?P (2. A) 
thus ?thesis .. 
next 

assume A G T 2 A A G A 2 
have ?PT 
thus ?thesis .. 
qed 
qed 



7.2 Case AL 

We have 

d 

A, B, Ti, T 2 h Ai,A 2 
Ai 

r l5 r 2 h Ai,a 2 

From wellformedness of the derivation, we have that A A B 6 
Ti, T 2 . There are two subcases, A A B e T± or A A B e T 2 . 

• Case A A B 6 Ti. The I.H. applied to d gives C',dl, dr such 
that 

dl dr 
A,B,Ti h Ai,C" and C",r 2 hA 2 

Take C = C . Then 

(// 

A,B,ri h Ai,C" 

AL 

Ti h Ai,C" 

The formal proof witness is 
AL(ri,Ai U{C'})dl 

dr is already a witness for C , F 2 h A 2 . 

• Case A A B G F 2 . The I.H. applied to d gives C' ,dl, dr such 
that 

dl dr 
TihAi.C' and C',A,B,r 2 \-A 2 

Take C = C . Then 

dr 

C',A,B,T 2 h A 2 
AL 

c*',r 2 h a 2 

The formal proof witness is 

AL({C"}ur 2 ,A 2 )t/> 

di is already a witness for Ti h Ai, C' . 

7.3 Case A7i 

We have 

dl dr 

Ti,r 2 h Ai,A 2 ,^ Ti,r 2 h A 1 ,A 2 ,B 

Ai? 

Ti,r 2 h Ai, A 2 

From wellformedness of the derivation, we have that A A B 6 
Ai, A 2 . There are two subcases, AABeAiorAABe A 2 . 



6 



2008/2/1 



CaseAAB G Ai. The I.H. applied to dl gives C',dll,dlr such 
that 

dll dlr 
rihAi,A,C" and c',r 2 i-A2 

The I.H. applied to dr gives C" , drl, drr such that 



drl 

Ti h Ai,B,C" 

Take C = C" V C". Then 

dM 

r\ h A^ A,C' 



and 



c",r 2 1- a 2 



dri 

Ti h Ai,B, C" 



■WR 



■WR 



ri h Ai, A, C', C' V C" Ti h Ai,B, C",C' V C" 



ri h Ai, A, C', C' V C'\C" r x h Ai, B,C",C' V C",C' 
Vfi Vfi 



Ti h Ai, A, C' V C" 



I\ h A!,B,C' VC" 



r x h Ai,c' vc" 
The formal proof witness is 



let dll' = WR (Ti, Ai U {A, C', V C' C"}) dll in 

let dll" = WR fTi, Ai U {A, C, V C" C", C"}) d//' m 

letdll"'=VR (ri, Ai U {A,V C'C"}) d//"m 

to dr/' = (Ti , Aj U {B, C", V C C"}) dr/ in 
te( dr/" = (Ti , Ai U {B, C", V C C", C'}) drl' in 
let drl'" = VR (Ti, Ai U {B,V C C"}) drl" in 
AR (Ti, Ai U {V C' C"}) dll'" drl'" 



■ AR 



Similarly 



d/r 

c*',r 2 h A 2 



drr 

c",r 2 h A 2 



■VL 



c' vc",c*',r 2 h a 2 c'vc",c*",r 2 h a 2 
c*'vc",r 2 h a 2 

The formal proof witness is 



let dlr' = WL ({V C C", C'} U T 2 , A 2 ) d/r in 
let drr' = WL ({V C C", C"} U T 2 , A 2 ) drr in 
VL ({V C C"} U r 2 , A 2 ) d/r'rfrr' 



• Case AAB £ A 2 . The I.H. applied to dl gives C", dii, d^r such 
that 



drl drr 
rir-Ai,C" and C",r 2 |-A 2 ,B 



Take C = C A C" . Then 



Ti h Ai.C" 



Ti h Ai,C',C'AC" 



drl 

Ti h Ai,C" 



Ti h Ai,C",C" AC" 



Ti h Ai,C'AC" 
The formal proof witness is 



to d//' = WR (ri ,Ai U {C',A C C"}) d// in 
let drl 1 = WR (ri,Ai U {C",A C'C"}) dr/ in 
AR (Ti, Ai U {A C'C"}) dll' drl' 



Similarly 



WR 
■ Ai? 



dlr 

C',T 2 H A 2 , A 

c",c',r 2 h A 2 ,A 



drr 

c",r 2 h A 2 ,B 
C',C",r 2 h A 2 ,B 



■ WL 



■ WL 



■WL 



C' A c", c", c' , r 2 h A 2 , A c' A c", c', c", r 2 h A 2 , B 

AL AL 



c' a c",r 2 h A 2 , A 



C' A c",r 2 h A 2 ,B 



c' a c",r 2 h a 2 
The formal proof witness is 



let dlr 1 '=WL ({C",C} U r 2 ,A 2 U {A}) dlr in 

let dlr" = WL ({A C C",C",C'} U T 2 , A 2 U {A}) d/r'm 

letdlr"'=AL ({A C'C"} U T 2 , A 2 U {A}) d/r"m 

let drr' =WL ({C',C"} U r 2 ,A 2 U {B}) drr in 

let drr" = WL ({A C' C",C',C"} U T 2 , A 2 U {B}) drr' in 

to drr'" = AL ({A C C"} U T 2 , A 2 U {B}) drr" in 



■ A.R 



AR ({A C C"} U T 2 ,A 2 ) dlr'" drr' 



7 A Case VL 

Symmetric to AT?. 

7.5 Case Vi? 

Symmetric to AL. 

7.6 Case 

We have 



dll dlr 
rihAi,C" and C',T 2 h A 2 ,A 

The I.H. applied to dr gives C", drl, drr such that 



Ti,r 2 h Ai,A 2 ,A 
-ii 

ri,r 2 h Ai,a 2 

From wellformedness of the derivation, we have that -^A 6 
IV T 2 . There are two subcases, -^A £ Ti or -^A € T 2 . 
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• Case -i A G Ti. Then the I.H. applied to d gives C, dl, dr such 
that 

dl dr 
rihAi,A,C" and c',r 2 \-A 2 

Take C = C Then 

dl 

Ti h Ai, A,C' 

-L 

Ti h Ai, C' 
The formal proof witness is 

zifTi.Ai U{C'})dl 

dr is already a witness for C ,Y 2 h A 2 . 

• Case -i A £ T 2 . Then the I.H. applied to d gives C, dl, dr such 
that 

dl dr 
rihAi,C" and C',r 2 hA 2 ,i 

Take C = C Then 

dr 

c',r 2 h A 2 ,A 
-L 

c',r 2 h a 2 

The formal proof witness is 

2 i({C}ur 2 ,A2)* 

dl is already a witness for Ti h Ai , C' . 

1.1 Case -.i? 
Symmetric to -L. 

7.8 Case VL 

We have 

d 

A[t],ri,r 2 h Ai, a 2 

VL 

Ti,r 2 h Ai, A 2 

From wellformedness of the derivation, we have that Ve.^2;] £ 
Ti , T 2 . There are two subcases, Vr.A[a;] £ Fi or Vr.A[a;] G T 2 . 

• Case Vr..4[:r] € Fi. Then the I.H. applied to d gives C",dl, dr 
such that 

dl dr 
A[i],ri h Ai,C" and C*',r 2 hA 2 



Take C = C Then 

A[t],ri h Ai,C" 
VL 

ri h Ai,C 

The formal proof witness is 
V_L(T 1 ,A 1 U{C'})dl 

dr is already a witness for C" , T 2 h A 2 . 

• Case Va;.A[a;] G T 2 . Then the I.H. applied to d gives C", dZ, dr 
such that 

dl dr 
Ti h Ai, C" and C", A[t],r 2 \~ A 2 

Take C = C Then 

dr 

c",A[t],r 2 h a 2 

VL 

c',r 2 h a 2 

The formal proof witness is 

VL({C'}ur 2 , A 2 )dr 

dl is already a witness for Ti h Ai, C'. 

7.9 Case Vi? 

We have 

d 

Ti,r 2 h A U A 2 , A[a] 
Vi? 

r 1; r 2 h Ai,a 2 

From wellformedness of the derivation, we have that Va;.A[a;] 6 
Ai, A 2 . There are two subcases, Vr.A[a;] 6 Ai orVa;.A[x] € A 2 . 

• CaseVa;.A[a;] € Ai . Then the I.H. applied to d gives C' [a] ,dl,dr 
such that 

dZ dr 
ri h Ai,yl[o],C"[a] and C [a] , T 2 h A 2 

TakeC* = 3a;. C" [a;]. Then 

dZ 

Ti h Ai, A[o],C'[o] 

Wi? 

Ti h Ai,yl[a],C"[a],3a;.C7'[x] 

3.R 

Ti h Ai,yl[a],3a;.C"[a;] 

Vi? 

Ti h Ai,3x.C'[a-] 

The formal proof witness is 
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let dl' = WR (Ti, Ai U {A, C, 3_ a C'}) dl in 
letdl"=3_R (ri,Ai U {A, 3_a C'}) dl' in 
VR(ri,Ai U{B_aC'})dl" 



Similarly 



dr 

C[a],V 2 h A 2 
3x.C"[x],C"[o],r 2 h A 2 



3x.C"[iE],r 2 h A 2 
The formal proof witness is 



■ WL 

■3L 



let dr' = WL ({3. a C'} U {C'} U T 2 , A 2 ) dr i 

|L({|flC'}ur 2 ,A2)*' 



• Case Va;.A[a;] £ A 2 . Then the I.H. applied to d gives C [a], dl, dr 
such that 



dl dr 
rihAi,C"[o] and C"[o],r 2 h A 2 ,A[a] 



Take C = Vx.C"[a;]. Then 



dl 

ri h Ai,C[o] 



Ti h Ai,C'[a],Vx.C'[x] 
Ti h Ai,Vx.C'[:r] 
The formal proof witness is 



WR 
■WR 



letdl 1 = WR (Ti, Ai U {C',V oCj) dl in 
VR(ri, Ai UfVaC'p' 



Similarly 



dr 

C"[o],r 2 l- A a ,A[a] 
Vz.C"[a:],C"[a],r 2 h A 2 ,,4[a] 



Vz.C"[a;],r 2 h A 2 ,A[o] 
Va;.C'[a;],r 2 h A 2 
The formal proof witness is 



WL 
■VL 



■ VR 



7.11 Case 37? 

Symmetric to VL. 

7.12 Case WL 

We have 



rh Ai,a 2 



WL 



ri,r 2 h Ai,a 2 

From wellformedness of the derivation we have that A, T 
Ti, T 2 . The I.H. applied to d gives C", dl, dr such that 

cM dr 

rnrihAi,c" ««d c",rnr 2 i-A2 

Take C = C" . There are four subcases. 
• Case A € T^A € T 2 .Then 

dZ 

rnfih Ai,c" 



Ti h Ai,C" 
The formal proof witness is 

WL(T 1 ,A 1 U{C'})dl 



WL 



Similarly 



dr 

c',rnr 2 h a 2 



c",r 2 h a 2 

The formal proof witness is 

WL({C'}ur 2 ,A 2 )dr 

• Cass A € T!,A T 2 .Then 
dl 

rnfih Ai.c" 



WL 



Ti h Ai,C" 
The formal proof witness is 

WL(T 1 ,A 1 U{C'})dl 



WL 



let dr' = WL ({V a C',C'} U T 2 , A 2 U {A}) dr it 
let dr" = VL ({V a C'} U T 2 , A 2 U {A}) dr' m 
VR({V aC'}ur 2 , A 2 )dr" 



7.10 Case 3L 

Symmetric to VR. 



dr is already a witness for C" , T 2 h A 2 . 

• Case A ^ Ti, A € r 2 . Symmetric to previous case. 

• Case A ^ Ti, A ^ T 2 . Contradiction. 

7.13 Case WR 

Symmetric to WL. 



9 



2008/2/1 



8. Concrete Development of Formulae 

The development described in the previous sections is axiomatic. 
We also provide a fully conservative definition based on a de Bruijn 
representation of binding for formulae. 
Formulae are defined as follows. 

datatype form = P pred (tm list) 

V + 
VI 

V A form form 

V V/orm form 

V ^_form 

V FAllform 

V FExform 

Substitution is defined as usual. 

consts /vm/m? :: {yar => tm) => form =?form 
primrec 

fsubst s (P i tms) = P i (map s tms) 
fsubst s _L = _L 
fsubst sT = T 

fsubst s (A A B) = A (fsubst s A) (fsubst s B) 
fsubst s(VAS) = V (/rafof s A) {fsubst s B) 
fsubst s (22 A) = 22 (fsubst s A) 

fsubst s (FAll A) = (let s = (A v. case v ofO =>0V Sue n => Sue (s «)) 
in FAll (fsubst s A)) 

fsubst s (FExA) = (let s = (A v. case vo/0=>OV Sue n =>• Sue (s «)) 
in FEx (fsubst sA)) 

The axiomatic formulae constructors are defined concretely as 
follows. 

consts 

V :: var =>• form => form 
3_ :: var ^-form => form 

defs 

Vfl^s MZZ (fsubst (A v. ifv = a then else Sue v) A) 
3_ a A = FEx (fsubst (A v. ifv = a then else Sue v) A) 

Instantiation of quantified formulae is defined as follows. 

consts 

FAll-inst :: tm =>form => form 
FEx-inst :: tm ^form =>■ form 
primrec 

FAll-inst t (FAll A) = fsubst (A v. case v ofO => t V Sue n=$-n) A 
primrec 

FEx-inst t (FEx A) = fsubst (A v. case v ofO => / V Sue n=? n) A 

Positive and negative occurrences are defined in a mutually 
recursive fashion. 

consts posneg : : form =>■ pred set * pred set 
primrec 

posneg (Pivs) = ({;'},{}) 
posneg ± = ({},{}) 
posneg T = ({},{}) 

po.vneg (A/g) = (to (») = posneg fin 

let (gp,gn) = posneg gin 

(fpUgp,fnUgn)) 
posneg (Vfg) = (let (fpfn) = posneg fin 

let (gp,gn) = posneg g in 

(fpUgp,fnUgn)) 
posneg (mf) = (let (p,n) = posneg fin (n,p)) 
posneg (FAllf) = posneg f 
posneg (FExf) = posneg f 

constdefs pos : : form => pred set 
pos = fst o posneg 



constdefs neg : : form => pred set 
neg = snd o posneg 

Free variables are defined using an auxiliary function. 

consts preSuc v.nat list => nat list 
primrec 

preSuc [] = [] 

preSuc (a#list) = (case a ofO => preSuc list V Sue n =>• n#(preSuc list)) 

consts fv -.-.form =>■ var list 
primrec 

fv (P i tms) = tms 

>1=D 

fv (A AS) = (fvA) @(fvB) 

fv (V A B) = (fvA)@(fvB) 

>( ZL A)=/vA 

fv (FAll A) = preSuc (fv A) 

fv (FEx A) = preSuc (fv A) 

All properties which we previously asserted axiomatically are 
proved for the corresponding concrete development. The main 
proof of Craig's Interpolation Theorem can run happily using either 
the axiomatic development or the concrete development. 

9. Analysis 

9.1 Formal v. Informal 

In the preceeding sections we have given an informal account of a 
formal mechanised proof. We have omitted numerous checks from 
the informal proof. For example: 

• We noted already the omission of the checks on the polarity of 
predicates appearing in the interpolation formula. 

• We omitted checking wellformedness of intermediate deriva- 
tions which are used as witnesses in the proof. 

• We omitted cases where symmetry is sufficient to allow the 
reader to reconstruct the proof from a previous case. 

• We omitted eigenvariable checks in Vii, 3L cases. 

Suffice it to say, including these details would have substantially 
increased the size of the informal presentation. Never-the-less, the 
informal presentation is by no means short. 

The formal, mechanised version can be significantly shorter 
than an informal presentation because much of the proof can be 
relegated to automation. However, the formal proof is certainly less 
readable. 

Ideally one would like the formal and the informal presentation 
to inhabit the same document. Ideally the formal terms should be 
typeset as informal practice. For example, derivations used in the 
proof should be typeset as such, not just quoted as HOL terms. Al- 
though Isabelle possesses some facilities in this area, improvements 
can certainly be made. 

9.2 Mechanisation Statistics 

Our abstract development of formulae consists of 95 lines (includ- 
ing whitespace), of which none are tactic lines, and our concrete 
development contains 210 lines, of which 51 are tactic lines. 

Our main mechanised theory file contains 410 tactic lines. Each 
case in the main proof requires us to prove about 10 different sub- 
goals, and each subgoal corresponds roughly to a single line of tac- 
tic script. We have 5 connectives or quantifiers, 10 corresponding 
left and right rules, and 2 subcases per rule, giving 20 cases in total. 
In addition, there are 4 cases for the Init rule, and 4 cases each for 
the two W rules, giving a total of 20 + 4+ (4 + 4) = 32 cases in all. 



10 



2008/2/1 



At approximately 10 lines per case, this gives rise to approximately 
320 tactic lines, with the rest related to setting up outside induc- 
tions, and the derivation of the weak form of Craig's Interpolation 
Theorem. 

The total line count is under 1000 lines, and this includes many 
whitespace lines, lemmas that reproduce in Isar what previously 
was conducted using tactics, and lines whose sole purpose is to re- 
quote formal witnesses so that they can be included in this informal 
presentation. 

The point is simply that this development is extremely short. 
9.3 Aims of the Mechanisation 

In this section, we discuss what we tried to achieve with the mech- 
anisation. Some of these achievements are far from obvious even 
when replaying the mechanised text step by step. 

• Clear, Correct and Complete We hope our presentation is 
clear. Existing presentations are lacking in this area. For exam- 
ple, Girard in | Gir87 1 rephrases the induction statement halfway 
through the proof, whereas we have been careful to state our 
theorems precisely. Moreover, because we have formalised the 
proofs, many details that were murky have been uncovered. A 
particular area of concern is the informal tradition of requir- 
ing that the analysed formula appear explicitly in the conclu- 
sion of a rule. We believe the resulting proofs are often hard to 
read. For example, Girard follows the tradition, but the individ- 
ual cases must introduce extra variables Ti, . . . which are later 
constrained such that e.g. either V'i = Ti , A or ri =ri.This 
doubling of the number of variables in play makes the proofs 
harder to follow. 

One of the aims of mechanisation is to ensure that the proofs are 
impeccable. Existing presentations are deficient in this regard. 
For example, Girard' s presentation contains numerous typo- 
graphical mistakes. Perhaps more worryingly, Girard dismisses 
the structural cases as trivial, and omits the proofs. However, 
our experience was that the structural rules, WL, WR, com- 
bined with sequents that are (pairs of) sets of formulae, were 
the hardest to get right. We hope their inclusion here will clar- 
ify what otherwise might have remained a murky part of the 
proof. Certainly we have addressed all relevant cases, so that 
our presentation is complete. 

Correctness of the proofs ultimately rests on the foundation of 
the theorem prover in which the mechanisation has taken place. 
Isabelle/HOL is a fully expansive theorem prover, whose kernel 
is small and has often been certified by experts. It is extremely 
unlikely that Isabelle would incorrectly assert that a theorem 
had been proven. 

For correctness, one also requires that the definitions corre- 
spond to the related informal notions. We have tried to ensure 
that this is the case in two ways. We have used concrete math- 
ematical structures which directly correspond to the intuitive 
notions wherever possible, rather than resorting to sophisticated 
techniques such as HOAS. Our derivations are concrete objects. 
Our sets of formulae are indeed sets. We have provided a stan- 
dard presentation of first order formulae based on de Bruijn 
indices. Since much other work has been conducted with de 
Bruijn indices, they are fairly well understood, so that it should 
be easy to convince oneself of the correctness of our concrete 
presentation. On the other hand, we do not want our definitions 
to be over concrete, and so introduce unnecessary complexities. 
For example, we do not want our proofs to take advantage of 
properties that are present only for one particular implemen- 
tation of formulae. For this reason, we have also isolated the 
weakest possible properties required in our proofs. For exam- 
ple, our axiomatic presentation of first order formulae, which 



involves variable binding, is extremely weak. For our particular 
proof of Craig's Interpolation Theorem, these properties cannot 
be made weaker. These properties should be satisfied by any 
reasonable concrete implementation of first order formulae 4 . Of 
course, we tied the two presentations of formulae together by 
proving that the axiomatic properties we require are satisfied 
by the de Bruijn representation. 

It is still the case that the informal presentation in this paper, 
which is written by hand, may contain typos and other errors. 
Until the mechanised text becomes primary, this is inevitable. 
We have attempted to prevent errors creeping in by explicitly 
quoting the formal witnesses in the informal text. However, er- 
rors may still arise. The mechanised text does not suffer from 
these problems. Against this, even our informal presentation 
surely contains less errors and typos than appear in standard 
presentations. We hope that our presentation becomes defini- 
tive. 

• Appropriate use of Automation To formally prove Craig's 
Interpolation Theorem without automation would be a very 
lengthy task. We have used automation extensively to keep the 
formal mechanised proof to a small size. On the other hand, 
the only parts of the tactic script that are really essential are the 
initial use of induction over the size of the derivation, and the 
witnesses used to instantiate quantifiers. Thus, the proof could 
be made considerably smaller, i.e. the proof could simply be a 
call to automation with the existential witnesses supplied as a 
hint. However, we also wanted to preserve the structure of the 
proof, so that although the proof could be automated in one or 
two lines of tactic script, we prefer to sketch out the main case 
splits and match reasonably high-level subgoals to tactic lines 
in the mechanised proof. 

• Elegance, Simplicity Our mechanisation is succinct. Our 
proofs are the weakest and most direct that we could manage. 
Usually there is some trade off in this area. Weakest proofs are 
typically those arrived at using Cut free proofs, and minimal 
strengthening of induction statements. However, it is some- 
times the case that one can strengthen the induction statement 
in many ways, perhaps so that it is much stronger than re- 
quired, but such that it is syntactically simpler than the minimal 
strengthening. The only possible place where we have strength- 
ened an induction statement is in the statement of the strong 
form of Craig's Interpolation Theorem, and this is a standard 
strengthening which we felt it would be unwise to deviate from. 
Moreover, we did not see much scope for a syntactically sim- 
pler version. Other than this, our proofs are Cut free, and as 
weak as they can be. This is what gives rise to the very weak 
axiomatisation of the properties of first order formulae. 

For us, elegance is closely tied to syntactic properties of proofs 
and definitions. Thus, Cut free proofs are inherently elegant be- 
cause, for example, they proceed without detour, direct from as- 
sumptions to conclusions. In addition, we have strived to keep 
our definitions simple and elementary. Simplicity aids under- 
standing. Our aim in this is that the reader should never at any 
point feel that the development is not completely straightfor- 
ward and elementary. 

As an example of how we achieve simplicity, what is not so 
obvious from the informal and formal mechanised presentation 
of the result is the extent to which we have played around with 
various definitions to allow the mechanisation to be as clear and 



This is not quite true, since in order to make the mechanisation as slick 
as possible, we have used equality rather than alpha equivalence. A mech- 
anisation based on named variables and alpha equivalence would have to 
quotient the type of formulae by alpha in order to satisfy our axioms. 
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straightforward as possible. For example, the two W rules are 
actually admissible. However, since they are used extensively to 
form the derivation witnesses required in the proof, we would 
have to prove them admissible if we omitted them from our 
basic system. This in turn would involve a separate inductive 
proof to show the well known substitutivity property of eigen- 
variables in proofs. This would be a considerable detour, whilst 
we prefer our mechanisation to remain focused solely on the 
proof of Craig's Interpolation Theorem. Craig's Interpolation 
Theorem is essentially a structural theorem, so a detour into 
eigenvariable properties would be out of place and detract from 
the essence of the proof. For these reasons, we include the W 
rules explicitly. The cost is that we must treat these cases in the 
proof. However, these cases are intrinsically interesting, as the 
hardest cases, and are required in other presentations, so that 
including these cases explicitly is a double gain. 

• Modularity 

In order to support different implementations of formulae, in 
this particular case the axiomatic version and the version based 
on de Bruijn notation, we have modularised our development. 
This consists of two related tasks. 

■ Identifying the weakest properties of formulae that are re- 
quired in the main proof of Craig's Interpolation Theorem. 

■ Identifying a minimal common language that all implemen- 
tations of formulae have. 

To find the weakest properties of formulae, one typically devel- 
ops a Cut free proof, and examines the leaves of the proof to 
identify those that are provable solely in the language of formu- 
lae. To identify a minimal common language one examines the 
formulae constructs that appear in the main proof and tries to 
eliminate as much as possible. 

In fact, these two activities are linked: one cannot conduct a 
proof, or even state the theorem, without some notion of what 
a formula is. On the other hand, the statement of the theorem 
may involve references to formulae constructs that are really 
redundant, yet their presence in the theorem statement forces 
their use throughout the proof. 

For example, the notion of substitution which appears in the 
de Bruijn presentation, is present in some form in all concrete 
representations. It is therefore part of the common language. 
However, its absence from our axiomatic presentation of for- 
mulae indicates that it is not a necessary notion in order to 
prove Craig's Interpolation Theorem. Whilst conducting early 
versions of the proofs, we began to suspect that substitution 
could be eliminated from the common language we were us- 
ing for formulae, and we worked to bring this about. This is 
related to our previous comments on including the weakening 
rules explicitly. 

We discuss these issues further in th e sec tion on applications of 
Craig's Interpolation Theorem, Sect. llQI 

10. Applications 

In the introduction we claimed that Craig's Interpolation Theorem 
has many applications. In fact, it is the kind of result that becomes 
part of one's way of thinking about mechanisation, such are its 
diverse applications. 

Let us immediately repeat that Craig's Interpolation Theorem 
has a constructive proof, which is to say, it is an algorithm that 
transforms proofs and furnishes the interpolation formula. We have 
not expressed it as a deterministic algorithm, because the proof 
is essentially non-deterministic, so that determinising it would be 



inelegant. Never-the-less it would be simple to write a primitive 
recursive function which produced the interpolant. 

As another example, Craig's Interpolation Theorem can be used 
in automatic proof search. Suppose we have two (disjoint) lan- 
guages (set of predicates which may appear in formulae) Li, L 2 . 
We wish to prove 

ri,r 2 h Ai, a 2 

where Tj, Ai is express ed in language Li. By the strengthened 
interpolation theorem, Thm. l6,2l we can find a formula C such that 

ril-Ai,C and C,r 2 hA 2 

and moreover such that all predicates appearing in C appear 
also in Ti, Ai and in T 2 , A 2 . But since Li, L2 are disjoint, C can 
only be _L or T 5 . So 

Ti h Ai or T 2 h A 2 

We can then call our automation separately and in parallel on 
these two subproblems. In this way we have reduced the search 
space considerably, with nothing but syntactic considerations. This 
is an example of "purity of methods". As another example of 
purity of methods, if a sequent expressed in the language of L\ 
is provable, it is provable without taking a detour via L 2 , which is 
direct from the subformula property of Cut free derivations. Clearly 
this is extremely useful when restricting automation which would 
otherwise wander off into the extensive libraries of modern theorem 
provers in its search for a proof of some specific statement in a 
clearly defined sublanguage. 

Let us now consider a more subtle use of Craig's Interpolation 
Theorem. Suppose we wish to conduct a mechanisation that uses 
some form of variable abstraction and binding. For example, in 
our mechanisation we wish to have a representation of first order 
formulae. We might wish to use our favourite representation, say, 
de Bruijn. The basic type of abstraction provided by de Bruijn 
representations binds the free 0th variable, as is evident in the 
datatype of de Bruijn formulae. 

datatype form = 

FAllform 
FExform 

Whilst this may make sense for a representation where variables 
are numbers, it makes no sense for a named representation say, 
where there is no inherent notion of order on the variables. 

Craig's Interpolation Theorem suggests that we should pay 
close attention to the language we use to state theorems. For exam- 
ple, let F represent the axioms for our representation of formulae, 
and T the main theorem we wish to prove. Then we can find a C 
such that 

Fh C and CVT 

This C is the interface between the subtheory generated by F 
and our main theory in which we prove T. If we now replace F 
with some other implementation of formulae, F' , we would have 
to rephrase T in terms of this new implementation as T' , the lem- 
mas C exported by our theory of formulae would change to C' , and 
much additional reworking of proofs would result. To remedy this, 
we should express T using formulae constructs that are found in 
every implementation. In this case, Craig's Interpolation Theorem 
assures us that C must be expressed also in this shared language, 

5 Or conjunctions, disjunctions, negations of T, J which can be simpli- 
fied to _L or T. 
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and the only rework that is required when changing formulae rep- 
resentations is in the proof of F' h C. 

Returning to our example, if we used the de Bruijn representa- 
tion directly, our phrasing of Craig's Interpolation Theorem would 
include de Bruijn constructs, and our mechanisation would include 
much that was specific to de Bruijn representations. 

For this reason, we avoid the basic de Bruijn abstraction, and 
work instead with a named abstraction, even though named ab- 
straction is not a given for our underlying de Bruijn implementa- 
tion. We do not unnecessarily bias our development towards named 
implementations either- rather than instantiate a quantifier Wx.A 
as [i/a;]^4, we have an operation of "instantiation on the top most 
quantifier", FAlLinst t (Wx.A). Our axiomatic presentation (which 
is nothing more than the separate clauses of the interpolant C) 
certainly hides the de Bruijn specific constructs. The advantage is 
that we could later substitute some new implementation of formu- 
lae (named, bound/free) without any additional work in the main 
theory, though we would of course have to prove our axioms (the 
clauses of our interpolant C) were satisfied in this new implemen- 
tation. In this way we have used Craig's Interpolation Theorem in 
the mechanisation of the proof of the theorem itself! 

This approach can also be used to refactor existing theories, 
since Craig's Interpolation Theorem transforms existing proofs. 

In my thesis |Rid05| I suggest other ways in which Craig's 
Interpolation Theorem can shape a mechanisation. 

11. Conclusion 

We presented the first complete mechanisation of Craig's Interpo- 
lation Theorem. We also talked about some aspects of the mechani- 
sation, and some of the applications of the theorem to mechanised 
reasoning. In the main text, we have indicated where the contribu- 
tions of the paper lie, and we briefly recap some of these here. 



Further afield, there is much formalised proof theory. Let us 
briefly mention the work of Pfenning on formalised Cut elimina- 
tion | PfeOO | in Twelf, which is inspirational. A more sophisticated 
development is that of strong normalisation for System F by Al- 
tenkirch in LEGO IAU93I . 
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Clear, correct and complete formal presentation of Craig's In- 
terpolation Theorem. 

We have worked hard to isolate the minimal properties we 
require during the proof. For example, we present a very weak 
axiomatisation of first order formulae. For another example, we 
phrase the logical system in such a way that we avoid a detour 
through the eigenvariable properties of derivations. 

Complete rendition of mechanised version, save that some 
proof scripts have been omitted. 

Discussion of the application of Craig's Interpolation Theorem 
to mechanisation and automation. 

Particularly, we described our development of first order for- 
mulae with their notion of binding, and how we obtained such 
a weak axiomatisation. 



There is some related work. In |Bou96|, the author develops 
a partial proof of Craig's Interpolation Theorem in Coq. This is 
based on a single propositional connective, NAND. As the author 
admits, the intent was to extend the work to the usual formulae, 
but unfortunately this was never attempted. This work is certainly 
considerably more involved than that presented here. Moreover, 
the importance of these results usually does not lie in the result 
itself, but in the details of the proof: if one understands the details, 
one can adapt the proof and use variants of the result in one's 
own work. Thus, the restriction to a rather unusual connective is 
indeed a real restriction, since one has to work much harder to 
translate the usual formulae one meets during proof into NAND 
form. Furthermore, the proof is sufficiently complicated that much 
of the beauty of Craig's Interpolation Theorem has been lost in the 
details of formalisation. 
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